I started my foray into the Cisco ASA about a few months ago as my job started to spill into the network security arena. Similar to the way I felt when I began to learn about Cisco Routers and Switches, I feel a bit like a fish out of water when it comes to the ASA. So I decided that a bottom up approach to learning the ASA platform was needed starting with the basics of an ASA firewall.
The Cisco ASA firewall is known as a stateful firewall. A stateful firewall only permits packets that match an existing rule on the firewall through from one network to another. Once permitted the firewall adds the connection to a state table and any additional traffic matching the entry with the same source and destination is allowed to quickly pass. In a real life scenario you are typically protecting your internal network from the dangers of the Internet. As a result most companies setup their rules to allow connections to be initiated from hosts on the internal network out to the Internet while denying most (if not all) connections from being initiated from the Internet to the internal corporate network. For those devices such as web servers and Internet facing application servers that need to allow hosts outside of the internal network to initiate a connection, companies will setup a segregated section of their network called the DMZ. The DMZ however is not left wide open and unprotected to the Internet; administrators will typically setup rules that only allow specific traffic through, like port 80 and 443 traffic on a web server.
This brings us to specifically how the ASA manages security between different networks. The ASA uses something called network security levels. Network Security levels use the numbers 0 to 100 that are assigned to interfaces on the ASA. 0 is considered the least secure and is typically assigned to the Internet facing interface, 100 is considered the most secure and is typically assigned to the internal network. The idea behind the differing security levels is that traffic is allowed by default to initiate connections from a higher level security zone to a lower level security zone but not vice versa. So, for example an inside network with the security level of 100 can initiate connections to the outside network with the security level of 0 however, the outside network cannot initiate a connection to the inside network. Additional networks can be added with any security level between 100 and 0 including, for example a DMZ network. Most companies will assign a number below 100 to their DMZ, typically 50, because they want the DMZ to have a higher security level than the Internet, but not as high as the inside network. This Allows the DMZ to open connections to the internet but not back to the inside network yet this still allows the inside network to open connections to both the DMZ and the outside.
The concept of security levels work well if you don’t want to allow any traffic from the outside to any hosts on the inside/DMZ and if you want to allow all traffic unfiltered from the inside/DMZ out. However, there are many cases such as the example of a web server I used above when you want to allow traffic from the Internet to a protected network, like your DMZ. You can allow traffic from the outside in by creating access control lists (ACL) that allow specific traffic through, like the web traffic I mentioned above for port 80 and port 443 while denying all other traffic. Additionally you can block specific traffic from the inside out using an ACL as well. Many companies will block traffic from the inside out for things like file sharing applications, instant message clients and network ports used by popular viruses.
Thanks for reading; part 2 will be a beginner’s step-by-step guide to setting up the ASA.